Merge pull request #131 from FlowFuse/cert-manager-tls

Add support for using cert manager
FlowFuse · Jan 16, 2024 · 672aeb5 · 672aeb5
2 parents 51d5f79 + e71bdfa
commit 672aeb5
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -17,6 +17,7 @@ driver:
     projectNamespace: flowforge
     cloudProvider: aws
     privateCA: ff-ca-certs
+    certManagerIssuer: lets-encrypt
     k8sDelay: 1000
     k8sRetries: 10
 ```
@@ -28,6 +29,7 @@ should run on
 - `cloudProvider` can be left unset for none `aws` deployments. This triggers the adding of
 AWS EKS specific annotation for ALB Ingress.
 - `privateCA` name of ConfigMap holding PEM CA Cert Bundle (file name `certs.pem`) Optional
+- `certManagerIssuer` name of the ClusterIssuer to use to create HTTPS certs for instances (default not set)
 - `k8sRetries` how many times to retry actions against the K8s API
 - `k8sDelay` how long to wait (in ms) between retries to the K8s API
 

diff --git a/kubernetes.js b/kubernetes.js
@@ -360,6 +360,18 @@ const createIngress = async (project, options) => {
 
     const localIngress = JSON.parse(JSON.stringify(ingressTemplate))
 
+    if (this._certManagerIssuer) {
+        localIngress.metadata.annotations['cert-manager.io/cluster-issuer'] = this._certManagerIssuer
+        localIngress.spec.tls = [
+            {
+                hosts: [
+                    url.host
+                ],
+                secretName: project.safeName
+            }
+        ]
+    }
+
     // process annotations with potential replacements
     Object.keys(localIngress.metadata.annotations).forEach((key) => {
         localIngress.metadata.annotations[key] = mustache(localIngress.metadata.annotations[key], exposedData)
@@ -593,6 +605,7 @@ module.exports = {
         this._namespace = this._app.config.driver.options.projectNamespace || 'flowforge'
         this._k8sDelay = this._app.config.driver.options.k8sDelay || 1000
         this._k8sRetries = this._app.config.driver.options.k8sRetries || 10
+        this._certManagerIssuer = this._app.config.driver.options._certManagerIssuer
 
         const kc = new k8s.KubeConfig()
 
@@ -753,6 +766,14 @@ module.exports = {
             this._app.log.error(`[k8s] Project ${project.id} - error deleting ingress: ${err.toString()}`)
         }
 
+        if (this._certManagerIssuer) {
+            try {
+                await this._k8sApi.deleteNamespacedSecret(project.safeName, this._namespace)
+            } catch (err) {
+                this._app.log.error(`[k8s] Project ${project.id} - error deleting tls secret: ${err.toString()}`)
+            }
+        }
+
         // Note that, regardless, the main objective is to delete deployment (runnable)
         // Even if some k8s resources like ingress or service are still not deleted (maybe because of
         // k8s service latency), the most important thing is to get to deployment.
@@ -851,6 +872,13 @@ module.exports = {
         } catch (err) {
             this._app.log.error(`[k8s] Project ${project.id} - error deleting ingress: ${err.toString()}`)
         }
+        if (this._certManagerIssuer) {
+            try {
+                await this._k8sApi.deleteNamespacedSecret(project.safeName, this._namespace)
+            } catch (err) {
+                this._app.log.error(`[k8s] Project ${project.id} - error deleting tls secret: ${err.toString()}`)
+            }
+        }
         try {
             if (project.safeName.match(/^[0-9]/)) {
                 await this._k8sApi.deleteNamespacedService('srv-' + project.safeName, this._namespace)